CD
Cloudflare Developers•4mo ago
quambo

Cloudflare Zero Trust on a VPS, Load Balancer, HTTPS

I'd like to set up 2 VPS with Hasura and cloudflared (via docker-compose), with all incoming traffic blocked, and a cloudflare load balancer listening to hasura.example.com, routing traffic to both VPS based on some rules. I'd like to have HTTPS working, without installing certs on hasura, so just let cloudflared handle it. Is this something that would work in theory? I've tried different things (like hooking up caddy in between, as reverse proxy and a lot of different configs), but I just can't get it to work. Most of the time, I end up with ERR_SSL_VERSION_OR_CIPHER_MISMATCH when trying to access hasura.example.com. Here is an example config using caddy (hope I don't even need caddy). With that config, I was at least able to connect the loadbalancer (to origin 100.90.0.5 on the virtual network). * SEE BELOW FOR EXAMPLE, POST WAS TOO LONG TO ADD IT HERE * Something I'm currently experimenting with is, without caddy, using cloudflared config to point the hostname to hasura docker container, but I'm not sure which origin I can then let point the loadbalancer to. 
tunnel: ...
credentials-file: ...
warp-routing:
    enabled: true

inngress: 
  - hostname: https://hasura.example.com/
    service: http://hasura:8080
  - service: http_status:404
tunnel: ...
credentials-file: ...
warp-routing:
    enabled: true

inngress: 
  - hostname: https://hasura.example.com/
    service: http://hasura:8080
  - service: http_status:404
Has anyone got an idea? Thanks!
11 Replies
quambo
quambo•4mo ago
version: "3.9"

services:
  hasura:
    container_name: hasura
    image: hasura/graphql-engine:v2.37.0
    ports:
      - "8080:8080"
    restart: always
    env_file:
      - .env
    environment:
      HASURA_GRAPHQL_ENABLE_CONSOLE: "false"
    networks:
      - cfzero
  caddy:
    container_name: caddy
    image: caddy:2.7.6-alpine
    depends_on:
      - "hasura"
    restart: always
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./certs:/certs
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
    networks:
      cfzero:
        ipv4_address: 100.90.0.5
  tunnel:
    depends_on:
      - "caddy"
    container_name: tunnel
    image: cloudflare/cloudflared
    restart: unless-stopped
    command: tunnel run
    env_file:
      - .env
    networks:
      - cfzero

networks:
  cfzero:
    ipam:
      config:
        - subnet: 100.90.0.0/24
          gateway: 100.90.0.254

volumes:
  caddy_data:
  caddy_config:
version: "3.9"

services:
  hasura:
    container_name: hasura
    image: hasura/graphql-engine:v2.37.0
    ports:
      - "8080:8080"
    restart: always
    env_file:
      - .env
    environment:
      HASURA_GRAPHQL_ENABLE_CONSOLE: "false"
    networks:
      - cfzero
  caddy:
    container_name: caddy
    image: caddy:2.7.6-alpine
    depends_on:
      - "hasura"
    restart: always
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./certs:/certs
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
    networks:
      cfzero:
        ipv4_address: 100.90.0.5
  tunnel:
    depends_on:
      - "caddy"
    container_name: tunnel
    image: cloudflare/cloudflared
    restart: unless-stopped
    command: tunnel run
    env_file:
      - .env
    networks:
      - cfzero

networks:
  cfzero:
    ipam:
      config:
        - subnet: 100.90.0.0/24
          gateway: 100.90.0.254

volumes:
  caddy_data:
  caddy_config:
Cyb3r-Jak3
Cyb3r-Jak3•4mo ago
That error typically means there is no SSL certificate covering the domain. Do you see one in your universal SSL certificate page?
quambo
quambo•4mo ago
Hmm.. right @Cyb3r-Jok3 , I supposed adding an LB with CF proxy would create the cert, thanks for the hint. Still interested in the best way to achieve what I need, do I need caddy with the CF origin cert setup or is it possible to just use cloudflared?
Cyb3r-Jak3
Cyb3r-Jak3•4mo ago
You can do http/https from cloudflared to the origin. Typically you would use something like caddy in front of it if you were using its features
quambo
quambo•4mo ago
Yeah, but I'm using caddy exclusively as reverse proxy to hasura, so can I https via cloudflared and proxy it to hasura via http? thanks for your help @Cyb3r-Jok3 , I find it very hard to find the right configs for LB + cloudflared + https, not much info around
Cyb3r-Jak3
Cyb3r-Jak3•4mo ago
Yeah you can
quambo
quambo•4mo ago
How does it work? Setting the cloudflared config to something like this: 
tunnel: ...
credentials-file: ...
warp-routing:
    enabled: true

inngress: 
  - hostname: https://hasura.example.com/
    service: http://hasura:8080
  - service: http_status:404
tunnel: ...
credentials-file: ...
warp-routing:
    enabled: true

inngress: 
  - hostname: https://hasura.example.com/
    service: http://hasura:8080
  - service: http_status:404
What origin am I supposed to point the LB to? How do I get a certificate?
No description
Cyb3r-Jak3
Cyb3r-Jak3•4mo ago
https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/routing-to-tunnel/lb/
Cloudflare Docs
Load balancers · Cloudflare Zero Trust docs
When you create a tunnel, Cloudflare generates a subdomain of cfargotunnel.com with the UUID of the created tunnel. You can treat …
Cyb3r-Jak3
Cyb3r-Jak3•4mo ago
The edge certificate will be auto issued
quambo
quambo•4mo ago
So, I need to leave the "Virtual Network" empty and use origin $tunnelID.cfargotunnel.com? thanks for linking the article going to try this out
quambo
quambo•4mo ago
neverlucky 😛 maybe need to try later
No description
Want results from more Discord servers?
Add your server
More Posts
[SOLVED] Stale DNS records (it's always DNS)I’ve been tearing my hair out trying to figure out why my ACME-DNS challenges weren’t working for juHostinger website stops working when i add Cloudflare nameserversHi there, I have a website hosted on Hostinger. Wheni add the website to Cloudflare and add cloudflabuild exceeding memory limitso i have a pretty large nextjs application and it builds fine without having `export const runtime Segmentation faultCan't create a new cloudflare pageEverytime I create a new page I get this errorGetting DDOS on r2 cache after disable all firewall (Essentially off) and using useragentPlease help me. I don't have 10000 to spend on enterprise....Disable cookie caching via WorkersMy platform is an online LMS and has several logged in users. I really want to use the "Cache everytNeed help! Lost access to emailI'm clueless even if this is where I should be asking. I cancelled Google Workspace (thinking I didnSpecific API endpoint not available via python urllibHello! I have an API call that is not working via Python's urllib. The same call is working via curlSome requests blocked by WAF?My site is behaving super weirdly recently. It appears that some WAF is blocking a huge amount of wo